samba - Dec 2020 - [Solved] Users can't mount shares on a domain member file server

On 18/12/2020 14:15, MAS Jean-Louis via samba wrote:
> Le 16/12/2020 ? 18:25, Rowland penny via samba a ?crit?:
>
>> I think I might know what is the problem, but first, you do not need 
>> these:
>>
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: inetOrgPerson
>
> Those objectclass provides a lot of attributes we currently use, 
> mostly for our Linux users.
> If I delete them, I guess our users will not be able to connect to 
> Linux servers, which are not part of our Samba domain but use our AD 
> for authentication (with nslcd mappings)
Well, you would guess wrong ?

posixAccount and shadowAccount are auxiliaryClasses of the 'user' 
objectclass and inetOrgPerson is a subclass of 'user' , so you don't
need them to get the attributes.
>
>> You have changed the primaryGroupID, why ?
>
> Old accounts, such as mine as been created like that, most of them has 
> been changed to 'Domain users' times ago. Now my primaryGroupID is 
> correct
>
> # ldbsearch --url=/var/lib/samba/private/sam.ldb -b dc=example,dc=com 
> sAMAccountName=jlmas | grep primaryGroupID
>
> primaryGroupID: 513
>
> I checked our AD, and all our users have the right primaryGroupID
>
>> Windows expects that every users primary group is Domain Users and 
>> now it is whatever '2906' is, this is what I think your problem
is.
>> Samba also requires Domain Users, though to be honest I am unsure 
>> whether it requires the name or the numeric ID, but it looks like 
>> which ever it is that winbind does not like this.
>
> I have flushed the winbind cache
>
> Now uid and gid are OK, but unixHomeDirectory and loginShell are not
>
> $ getent passwd jlmas
> ?jlmas:*:20025:20000:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false
You have a line missing from your smb.conf:

idmap config EXAMPLE : unix_nss_info = yes
> The only wrong point came from 'net ads testjoin'
>
> # net ads testjoin
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for 
> ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: 
> An invalid parameter was passed to a service or function.
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for 
> ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: 
> An invalid parameter was passed to a service or function.
> Join to domain is not valid: An invalid parameter was passed to a 
> service or function.
Did you run the command as root, if not try again using root or sudo

Rowland

Le 18/12/2020 ? 15:49, Rowland penny via samba a ?crit?:
> posixAccount and shadowAccount are auxiliaryClasses of the 'user' 
> objectclass and inetOrgPerson is a subclass of 'user' , so you
don't
> need them to get the attributes.
OK, we've got a lot of old accounts with inetOrgPerson, now it's fixed.

All our new accounts came with the objectclass posixAccount and 
shadowAccount. I suppose that the account creation script is the 
culprit. Yet an other thing to check on my side.
> You have a line missing from your smb.conf:
> 
> idmap config EXAMPLE : unix_nss_info = yes
Quite right. This line fixed our problems.

I messed with /etc/krb5.conf, in the same time, but back with our 
initial krb5.conf version, samba run fine.
>> The only wrong point came from 'net ads testjoin'
>>
>> # net ads testjoin
>>
>> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for 
>> ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: 
>> An invalid parameter was passed to a service or function.
>> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for 
>> ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: 
>> An invalid parameter was passed to a service or function.
>> Join to domain is not valid: An invalid parameter was passed to a 
>> service or function.
> Did you run the command as root, if not try again using root or sudo
Yes.
I have prefixed all root commands by #, and standard user commands by $, 
for the sake of clarity.

This point is not solved yet, although it's not quite important, as 
Samba run fine. Just a bit of curiosity, in fact.

Thank you very much for your very helpful remarks.

-- 
Jean Louis Mas